We published a call to action to stop upload filters from becoming the norm in the EU. Check out more information at https://edri.org/contact-ep-juri/
Published originally at: https://edri.org/six-states-raise-concerns-about-legality-of-copyright-directive/
According to a new leak, a number of EU Member States share our serious concerns about the proposal for mass surveillance and censorship of uploads to the internet in Europe, included in the European Commission’s proposal for a new copyright Directive. Those Member States seem unwilling to build a censorship machine forcing EU countries to adopt Google’s current practices. They highlight that such practices should not be implemented without making sure of the consequences for fundamental rights and for the rule of law.
The leaked document contains a list of questions posed to the internal legal service of the Council of the EU, signed by six EU Member States: Belgium, the Czech Republic, Finland, Hungary, Ireland and the Netherlands. From the questions, it appears that those Member States feel that the proposals for the upload filter are so grave that their legality is in serious doubt. They have asked the Council legal service to evaluate if the proposal is legal, in light of the proactive monitoring of content being demanded. Following the rulings (Scarlet/Sabam, Netlog/Sabam) of the Court of Justice of the European Union (CJEU) that such proactive filtering are a disproportionate breach of freedom of expression and information, freedom to conduct a business and to the protection of personal data, the Member States want a neutral evaluation.
They also ask if these measures are “justified and proportionate”, in order to verify if they would be in line with the Charter of Fundamental Rights of the European Union. These Member States also ask if the fact that one article of the proposed copyright Directive could fundamentally change the scope of the liability principles for internet providers in the e-commerce Directive. Those principles are crucial for freedom of expression in Europe, because they prevent internet companies from being excessively incentivised to restrict users’ communications.
The six Member States also raised crucial questions about the argument that searching for specific files (within all internet traffic) is a “general” monitoring obligation (see Question 3). This doubt appears very valid, bearing in mind that the e-Commerce Directive (recital 47) explicitly states that exceptions to the prohibition of general monitoring obligations would only be possible when searching for data in “a specific case”. Are millions of searches “a specific case”?
Finally, they also ask whether the wording “communication to the public” is being mixed up with the expression “providing access” when, as these Member States recall, “(t)he CJEU has never considered that is (sic) was sufficient for a service to be ‘providing access’ in order to establish that it is communicating to the public.”
The Council legal service will have to analyse thoroughly these questions before it can take a position on the subject, but right now it seems they will only deliberate orally during the next working group on 11-12 September. It is clear that the European Commission should have, but apparently did not, carry out a neutral assessment of these questions before launching its proposal for the copyright Directive. Therefore, it is welcome that the six EU Member States have invested time and resources in diligently raising fundamental questions on illegality, legal uncertainty and outright chaos that the upload filters suggested in Article 13 of the proposed Directive would bring. It is crucial to clarify what they would mean for human rights in the online environment, for European innovation and for Europe’s credibility in defending online freedoms in its foreign policy. The EU Presidency, Members of the European Parliament (MEPs) supporting the censorship machine, and some Member States (such as France, Spain, and Germany) should take note of the serious questions posed to the Council and re-think their positions on this debate.
Leaked document: Questions from Member States to the Council legal services on the Censorship Machine
EU countries question legality & attack on fundamental rights
No, you can’t enjoy the music you paid for, says EU Parliament Committee (05.07.2017)
Proposed Copyright Directive – Commissioner confirms it is illegal (28.06.2017)
EU Copyright Directive – privatised censorship and filtering of free speech (10.11.2016)
Copyright reform: Document pool
(Contribution by Diego Naranjo, EDRi)
(This article was originally published at the 24 February 2016 edition of EDRi-gram, the European Digital Rights fortnightly newsletter at: https://edri.org/data-protection-reform-next-stop-e-privacy-directive/ )
Did you think the data protection reform was finished? Think again. Once the agreement on the texts of the General Data Protection Regulation (GDPR) and the Data Protection Directive for Law Enforcement Agencies (LEDP) was reached, the e-Privacy Directive took its place as the next piece of European Union (EU) law that will be reviewed. The e-Privacy Directive (Directive 2002/58/EC on privacy and electronic communications) contains specific rules on data protection in the area of telecommunication in public electronic networks.
The Directive was first launched as part of the 1999 Communications Review and aimed to provide specific data protection rules for the e-communications sector, following the entry into force of the 1995 Data Protection Directive the previous year. The Directive dropped out of the Review package quite early in the legislative process and was not finally adopted until 2002.
The new instrument needs to cover all online processing of personal data, insofar as not already covered by the GDPR. Not least because of this, the new instrument needs to be enforced by Data Protection Authorities and not Telcoms regulators, as is the case in some EU Member States. It also needs to be updated in relation to the treatment of traffic and location data, as well as other geographical information and how consent is provided in this cases. Location data – even “anonymous” location data – can raise serious security and privacy concerns.
Another element that requires considerable re-thinking is the Directive is the issue of “cookies”. A more consistent and thorough analysis needs to be done on the different types of cookies that exist (tracking cookies, non-tracking cookies, session cookies…) and how to treat them accordingly. The bad joke which consent for cookies have become, have given arguments to anti-privacy/Big Data lobbies for how (meaningless) consent is the new spam. New, clearer rules should have a focus on improving the quality of the (very frequently profoundly misleading) information given to individuals reducing the number of cookie consent requests. Generally, we advise following the recommendations set by the Article 29 Working Party on this point.
The revised instrument should state that the deliberate installation of any piece of software or hardware on any device without the knowledge or consent of the owner of the device is an unauthorised access and/or data/system interference, as defined in the Council of Europe Cybercrime Convention. Another of the topics that cannot be avoided related to the use of encryption in devices. In the new legislation legislators should consider whether attempts to remove encryption, including the installation of “backdoors”, should be explicitly forbidden. Attention to how consent is provided (and revoked) for value-added services and the harmonisation and enforcement of the “national security/pubic order/crime prevention” exemptions is also needed.
The agreed text of the GDPR was the best possible outcome in the current political scenario, bearing also in mind the heavy lobby it received. The revision of the ePrivacy Directive needs not to undermine the good parts of the GDPR while at the same time trying to fix the loopholes it has created. Some lobbies call to “leveling the playing field” in this area, which is not objectionable, as long as the playing field is levelled upwards and to the level set by the GDPR and the case law of the courts in Luxembourg and Strasbourg. That is the playing field and any policy development in this are needs to stay up to those levels of protection.
Directive 2002/58/EC on privacy and electronic communications
Article 29 Working Party: Opinion 04/2012 on Cookie Consent Exemption (07.06.2012)
Data Protection Regulation Update: precise implementation depends on exceptions and Recitals (19.01.2016)
EU Data Protection Package – Lacking ambition but saving the basics (17.12.2015)
Recommendation No. R (95) 4 on the protection of personal data in the area of personal data in the area of telecommunication services
(Contribution by Diego Naranjo, EDRi)
(Originally published at: https://edri.org/faq-pnr/)
The European Union will adopt soon a Directive on the long-term storage and use of “Passenger Name Records” (PNR) for the purpose of profiling individuals as possible serious criminals or terrorists.
What is a Passenger Name Records (PNR)?
Passenger Name Records (PNR) include information provided by passengers and collected by air carriers for commercial purposes. PNR can contain several pieces of additional information such as dates, itinerary and contact details. All PNR data is stored in airlines’ databases.
PNR was originally intended to be used only as a record that contains the itinerary for a passenger or for a passengers traveling as part of a group. The idea was to allow the exchange of reservation information between airlines in case passengers required using different companies in order to reach their final destination. The PNR is created when someone books a flight. At that moment, the travel agent or the website managing the trip creates a PNR in a computer reservation system (CRS).
What kind of data is included?
Passenger Name Records (PNR) now can include every type of data provided by the passengers, such as, but not only, the date of the trip and complete itinerary, the name and contact information, the form of payment, frequent flyer information, meal preferences and medical information. In some cases, the airlines will have access to other data such as hotel bookings, car rentals, train journeys, travel associates, etc.
Optionally, agencies may also require more data, such as fare details, tax amounts paid, the form of payment used, further contact details, age details if it is relevant to the travel, frequent flyer data and special Service Requests.
The full list of data required by the EU PNR Directive is:
- PNR record locator
- Date of reservation/issue of ticket
- Date(s) of intended travel
- Address and contact information (t elephone number, e-mail address)
- All forms of payment information, including billing address
- Complete travel itinerary for specific PNR
- Frequent flyer information
- Travel agency/travel agent
- Travel status of passenger, including confirmations, check-in status, no show or go show information
- Split/divided PNR information
- General remarks (including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent)
- Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, Automated Ticket Fare Quote fields
- Seat number and other seat information
- Code share information
- All baggage information
- Number and other names of travellers on PNR
- Any Advance Passenger Information (API) data collected (inter alia document type, document number, nationality, country of issuance, date of document expiration, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time, arrival time)
- All historical changes to the PNR listed in numbers 1 to 18
What does PNR add in terms of prevention of terrorism and transnational crimes to other existing systems?
Nothing. There are other ways to access this type of information. For example, law enforcement agencies and intelligence agencies can require to access PNR data via a court order, following the regular procedures prescribed by law.
Furthermore, other measures that authorities can use to identify subjects who may be involved in criminal activity, such as the Schengen Information System(1), the Visa Information System(2), Eurodac(3) and ECRIS(4) and API data (Advance Passenger Information).
Is it true that PNR will help to stop terrorists?
No. In many of the recent terrorist attacks the terrorists had already been flagged as people who needed further tracking. Thus, the attackers from the last terrorist incident in Paris were already known to French authorities and details of their travels were also known (7). An EU PNR Directive would not have brought any more security, only more risks. For example, there have already been cases of people being wrongly labeled on these lists based on profiling schemes and, consequently, handed over to repressive regimes and tortured (8).
Rather than creating new surveillance measures, the EU should look for more active and effective cooperation between law enforcement agencies in the EU(5)(6).
Has the EU PNR Directive been proved to be effective, proportionate or necessary?
No. The Directive is being adopted despite concerns raised by the Fundamental Rights Agency (FRA), the European Data Protection Supervisor (EDPS) and Article 29 Working Party. A study undertaken for the Council of Europe explained that “no serious, verifiable evidence has been produced by the proponents of compulsory suspicionless data collection to show that data mining and profiling by means of the bulk data in general, or the compulsory addition of bulk PNR data to the data mountains already created in particular, is even suitable to the ends supposedly being pursued –let alone that it is effective”.(9)
However, the supporters for PNR seem to follow the unquestioning belief that any form of long-term data storage – including PNR – will be valuable.
What is EDRi’s view on PNR systems?
The right to privacy and the right to data protection are fundamental rights. They are not just a social convention, but legally enforceable rights, enshrined in the Treaties, laws and the Charter of Fundamental Rights. In line with the Charter of Fundamental Rights, infringements of fundamental rights (by long-term storage of such data) are only permissible if they “genuinely meet objectives of general interest”. PNR does not respect this principle.
What are the main problems of the EU PNR proposal?
- Unlawful Blanket Data Retention: After the European Court of Justice ruling that the invalidated the Data Retention Directive, it is difficult to believe that the current PNR proposal would be considered lawful.
- Excessive Data Retention Period: Even if the retention of data would be considered legitimate, in the PNR context the proposed five-year period significantly longer than could be reasonably deemed as necessary or proportionate. In the European Court hearing on data retention, neither the European Commission nor the individual Member States were able to give any justification for the retention periods demanded.
- Lack of concrete protections from arbitrariness: In the text, it is unclear how the profiling will be done.
- There are existing measures (VIS(10), SIS(11) and API(12) which already provide sufficient information: There is no evidence on whether another system would be needed.
- Lack of evidence showing that these measures are effective, necessary and proportionate in the investigation or prevention of serious crimes: From the European Commission’s own impact assessment (13), there is no concrete evidence on the actual usefulness of PNR collection for the tackling of serious crime or terrorist offences. It is particularly worrying that the European Commission states in its proposal that “PNR data is unverified information provided by passengers” (14) while remaining convinced – despite their questionable accuracy – it could be used in real time “to prevent a crime”.
- Lack of proportionality: Fundamental Rights Agency (FRA), the European Data Protection Supervisor (EDPS) and Article 29 Working Party agree on the lack of proportionality of the proposal. The proposed EU PNR system foresees data collection and analysis for all passengers on international flights without any sort of targeting.
- Excessive costs: Transposing such Directive will bring significant costs for Member States. The high expenditure is confirmed by the European Commission’s impact assessment, which put the cost at hundreds of millions of euro.
13 European Commission impact assessment on the proposal for an EU PNR Directive: http://ec.europa.eu/smart-regulation/impact/ia_carried_out/docs/ia_2011/sec_2011_0132_en.pdf
14 Commission proposal for a Directive on the use of Passenger Name records, Page 3: http://ec.europa.eu/home-affairs/news/intro/docs/com_2011_32_en.pdf
(Originally published as an ENDitorial at EDRi gram 13.11, 3 June 2015: https://edri.org/enditorial-copywrong-copyright/)
“I’ve got two 12-year-old criminals in my kitchen and that can’t be right”
(Jonathan Worth, professional photographer)
The first round of debates surrounding the copyright reform in the European Parliament are reaching their last stages. Pavel Svoboda’s report on Intellectual Property Right (IPR) enforcement was published on 19 May. The report contains a mixture of negative and positive elements which need to be taken into consideration.
Among the negative aspects, we find simplistic statements, for example that IPR infringements discourage growth (Recital D). In reality, the situation is far more nuanced. For example, while the slow adaptation of the music industry to the digital environment has driven a lot of infringements, the market has adapted. Income from concerts is, in fact, growing in the last years. The omnipresent mantras of “follow the money” and “commercial scale” are now happily together in the same paragraph (paragraph 3), still without a clear definition of what these concepts imply. Nobody has sought to define “follow the money” while even the European Commission has said that its 9-year-old definition of “commercial scale” is probably inadequate.
Then, all sprinkled through the Report, there is positive commentary to the generally lamentable work of the Observatory on IPR infringements. Taking into consideration the numerous flaws of much of the output of the Observatory, the gratuitous fawning and, even worse, the calls to use its work to build upon it a new “Intellectual Property” legal framework, seems misplaced and ill-informed to say the least. There is also a mention of the “lack of awareness” of the young generation of the importance of IPR infringements, referring to a study which does not actually say that. It also seems to ignore the results of the copyright consultation where thousands of users called for a Intellectual Property (IP) framework adapted to the 21st century. Finally, the call for “cooperation” of the main Internet stakeholders, which sounds too much like the same old call to privatised law enforcement and the undefined call to “follow the money”.
Among the positive elements, the Report presents calls for balances between fundamental rights and privatised law enforcement (paragraph 10), although it is not clear what this call actually means. There is also the support for attractive licit offers to combat unauthorised use of content (paragraph 37) and for a “comprehensive legal framework to combat IPR infringement adapted to the online environment, with full regard for fundamental rights and freedoms, fair trials, proportionality and data protection” (paragraph 57). Finally, the Report asks for measures “guaranteeing a balanced approach representing the interests of all stakeholders involved, and, in particular, of consumers and their right of access to content” (paragraph 58).
The Plenary of the European Parliament will vote on the Report in the week beginning 7 June.
Julia Reda’s Report on the implementation of the so-called InfoSoc Directive (one of the foundations of EU Copyright law), on the other hand, has been delayed and is now going to be voted in the European Parliament Committee on Legal Affairs (JURI) on 16 June. The recently launched copywrongs.eu website contains a good summary of concrete proposals on the harmonisation of exceptions and limitations and for a modernised EU Copyright framework. This new framework should be one where the vast majority of citizens are not considered as offenders of intellectual property rights for doing things that seem (and are) perfectly normal, such as private copying or re-using copyrighted material for parody purposes. The copywrongs site also offers a free user-friendly tool developed by EDRi observer La Quadrature du Net to call Members of European Parliament (MEPs) to let them know your position on the debate.
Given the immense disproportion between rightsholders’ lobbyists and civil society advocates, this tool will help to amplify citizens’ voice. Since there are only a few days before the vote, the time is to get informed via our handbook on copyright and via copywrongs.eu and to take action now for a modernised EU copyright framework!
EDRi’s document pool on the copyright reform
Summary report of the responses to the copyright public consultation (30.06.2014)
Economists say P2P file-sharing fuels art (18.06.2009)
Copyright in the age of the internet (EP video)
EDRi paper: Copyright – challenges of the digital era
C4C Copyright Manifesto
(Contribution by Diego Naranjo, EDRi)
Despite the decision of the European Parliament to refer the EU-Canada PNR agreement to the Court of Justice of the European Union (CJEU) in December 2014, the urge to keep increasing surveillance citizens’ movements across Europe seems to be irrepressible. Timothy Kirkhope, Rapporteur (MEP in charge) of the Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD) ), is again launching the EU PNR proposal in the European Parliament, after it was rejected by the Parliament’s Civil Liberties Committee in 2013.
What is PNR?
Passenger Name Records (PNR) are data containing information provided by passengers and collected by air carriers for commercial purposes. This can contain several pieces of information such as dates, itinerary and contact details. All PNR data is stored in airlines’ databases.
What kind of information do they contain?
- Date of the trip and complete itinerary,
- Name and contact information,
- Form of payment,
- Frequent flyer information,
- Meal preferences,
- Medical information,
- Non-flight matters administered by the airline, such as hotel bookings, car rentals, train journeys, travel associates, etc.
Many of these types of data can be used and aggregated to build profiles. For instance, meal preference can provide information about religious affiliation, hotel reservations can indicate passengers’ personal relationships, etc. Mr Kirkhope suggests comparing the PNR database against other databases, presumably to generate such extra data.
How will this information be used under the proposed EU PNR Directive?
The passenger data of all flights from or to the European Union could be processed for the purposes of the prevention, investigation and prosecution of serious crime, serious transnational crime and terrorist offences. However, the definitions in the Directive are so unclear that Member States are given the option of excluding “minor offences” that they cover. All passenger data would be retained by specific Passenger Information Units (PIU) up to five years (or five and a half years, if being stored by the Australian authorities under the bilateral EU/Australian agreement… or 15 years, if being stored by the US authorities under the bilateral EU/US agreement). Moreover, the proposal foresees the possibility to broaden the scope of the PNR directive by including internal European flights, a measure that Mr Kirkhope wants to introduce immediately.
What are the main problems of the EU PNR proposal?
- The ruling of the EU’s court, the Court of Justice concerning the invalidation of the Data Retention Directive: The analysis provided in that ruling makes it difficult to believe that the current PNR proposal would be considered lawful
- Excessive Data Retention Period: Even if the retention of data in the PNR context was considered necessary and proportionate, the proposed storage period excessive and lacking any meaningful justification
- Lack of concrete protections from arbitrariness: In the text,it is unclear how and when data will be processed (prevention of badly defined “serious crime”). There are existing measures (VIS, SIS and API) which already provide a great deal of information. There is no evidence another system would be needed.
- Lack of evidence showing that these measures are effective, necessary and proportionate in the detention or prevention of serious crimes.From the European Commission impact assessment, there is no concrete evidence on the actual usefulness of PNR collection for the tackling of serious crime or terrorist offences. In this regard, it is particularly worrying that the European Commission states in its proposal that “PNR data is unverified information provided by passengers” while remaining convinced – despite questionable accuracy – it could be used in real time “to prevent a crime”.
- Lack of proportionality: The Fundamental Rights Agency, the European Data Protection Supervisor, and the Article 29 Working party (most recently here) agree on the lack of proportionality of the proposal. The proposed EU PNR system foresees data collection and analysis for all passengers on international flights without any sort of targeting.
- Excessive costs: Transposing such Directive will bring significant costs for Member States. The high expenditure is confirmed by the controversial call for proposal of 50 million euros issued by the European Commission to build PNR systems in several Member States. These funds were made available even though the legislation has not been agreed.
We have sent a letter to members of LIBE, and prepared a briefing paper and an analysis of the proposal. It is time to call and write your MEPs and let them know why this proposal needs to be rejected again.
You can also support our crowdsourcing campaign to produce postcards that will be sent to MEPs in order to make them aware of the risks of this proposal for the fundamental rights of citizens.
In the discourse of protection and respect of minorities, there is one group we might want to re-think our otherwise “good manners”. The minority I am thinking about has been a nomadic one for centuries, although lately they are settling more on the outskirts rather than in the center of our cities. Their origins and their ethnicity and racial features define them as a specific and homogeneous, and they are easily recognizable. Sometimes, the terrain in which they place their homes used to be publicly owned and, because of the pressure this group is able to make, becomes private de facto or de iuris.
They tend to pay less taxes than the majority of us. They benefit of the welfare system in many ways but they contribute less to it (if something at all) than the average citizens.
Socially, it is a group that finds difficult to be integrated in the society. They wear special clothes, they listen to the music which represents their group, they commit violent crimes that most of the times go unpunished and they are cynical enough to pretend to be subjects of victimization. Being around the 0.01% of the society, they have a vast control on all of us. With all this in mind, I think there is a minority which is increasingly dangerous and need to be less cautious when saying these things. As Susan George said, “let´s beat the bastards“.